JP2000261486A - Packet communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To built up a high security system in packet communication. SOLUTION: The packet communication system transmits packets each including an address field and a data field on a network where a plurality of terminals 12A-1-12A-3, 12B-1-12B-3, 12C-1-12C-3 and a plurality of routers 10A-10D are interconnected. Each of a plurality of the terminals and the routers has an encryption/decoding device. Each encryption/decoding device of a plurality of the terminals encrypts address information at least in the address field in the case of packet transmission and decodes the encrypted address information in the case of packet reception. Each encryption/decoding device of each router decodes the encrypted address information and transmits the packet to a communication path selected according to the information in a routing table.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet communication system for transmitting a packet including an address field and a data field on a network in which a plurality of terminals and at least one router are connected. Concerning system construction.

[0002]

2. Description of the Related Art In recent years, packet communication has been actively performed via a packet switching network such as the Internet or a local area network.
At this time, when transmitting highly confidential data, it is common to transmit encrypted data over a public line.

[0003] Encryption methods are roughly classified into secret key encryption and public key encryption.
S (Data Encryption Standard) and public key encryption include RSA (Rivest Shamir Adleman criptograph).

[0004] In principle, DES is a method of rearranging and replacing data bit strings, and RSA is a method of performing an extremely multi-bit remainder operation. In general, a public key cryptosystem is several hundreds more than a secret key cryptosystem. Twice as slow. This is because in the public key cryptosystem, a very multi-precision remainder operation modulo several hundred bits or more is performed.

Therefore, usually, a high-speed secret key cryptosystem is used for encrypting a large amount of data strings, and a public key cryptosystem is used for authentication, signature and key distribution with a small amount of data. They are used properly.

[0006] In the public key cryptography, since the encryption strength can be selected by changing the bit length of the key, it is required that the operation can be performed using public keys of various bit numbers disclosed by a communication partner.

[0007] When encrypting or decrypting data using application software when transmitting highly confidential data, the encryption and / or decryption becomes more complicated as the encryption becomes more complicated so that the decryption becomes more difficult. As the amount of data to be processed becomes enormous, the processing requires a relatively long time.

[0008] Further, in the encryption or decryption processing using application software, it is necessary to read the contents of the packet that has been sent to the operation system (OS). At this time, the OS of the device other than the source or destination
However, there is a problem that the content of the packet recorded in the communication can be deciphered with malicious intent, or the communication of another person can be intercepted using a line analyzer or the like, resulting in low security.

In particular, as specified in the DES that it must be realized using hardware technology,
In the case of a software-only encryption / decryption system, it is practically difficult to avoid decryption by a third party. If a part of the encryption algorithm is implemented as hardware, the encryption strength will be higher.

[0010] The same applies to the public key cryptosystem. For example, a one-chip public key cryptographic processor has been proposed (Transactions of the Institute of Electronics, Information and Communication Engineers, DI Vol. J80-DI).
No. 8 pp. 725-735 1997-8).

[0011] However, the one-chip public key cryptographic processor can perform arbitrary precision processing within the precision specified in advance by hardware, but when an accuracy exceeding the specified precision is required, A problem arises in that processing cannot be performed, and new hardware must be designed.

An object of the present invention is to provide a packet communication system capable of performing highly secure packet communication while reducing the amount of data to be encrypted.

Another object of the present invention is to provide a packet communication system with higher security which enables a system capable of performing an operation of arbitrary precision for encryption or decryption to be easily constructed in hardware. It is in.

[0014]

SUMMARY OF THE INVENTION The present invention provides a packet communication system for transmitting a packet including an address field and a data field on a network in which a plurality of terminals and at least one router are connected.
Each of the plurality of terminals and the at least one router has an encryption / decryption device, and each of the plurality of terminals transmits at least address information in the address field by the encryption / decryption device when transmitting a packet. And at the time of packet reception, the encrypted address information is decrypted by the encryption / decryption device, and the at least one router decrypts the encrypted address information by the encryption / decryption device; The packet is transmitted to a communication path selected according to information in a routing table.

In this case, in each of the plurality of terminals, at the time of packet transmission, one or both of the destination address information and the source address information in the address field are encrypted by the encryption / decryption device.

As described above, according to the present invention, the address information to be encrypted includes the address information in the address field. Even if the data in the data field in the packet is eavesdropped without encryption, the data itself may not make sense if one or both of the source and destination are encrypted. It is. Therefore, if both or one of the source address information and the destination address information is encrypted, the confidentiality of the data is ensured as a result.

A confidential data field in which confidential data is stored is provided in the data field of the packet, and each of the plurality of terminals encrypts the confidential data in the confidential data field with an encryption / decryption device when transmitting the packet. Can be.

In this case, the security of the confidentiality of the packet is further ensured.

Each of the encryption / decryption devices includes a plurality of modular exponentiation units, a plurality of cascade terminals for cascading the plurality of modular exponentiation units,
Wherein each of the plurality of modular exponentiation units includes:
It has a multiplication unit that performs multiplication with a multiplication accuracy of 2 ^m bits (m is a natural number) and a division unit that performs division with a division accuracy of 2 ^{2 · m} bits, and is performed by the plurality of modular exponentiation units. Assuming that the maximum operation precision of the modular exponentiation operation is 2 ⁿ (n is fixed as a natural number), the number of the plurality of modular exponentiation arithmetic units is x such that x ≧ 2 ⁿ / 2 ^m (x is fixed as a natural number). Once connected, it can perform encryption or decryption.

In this way, hardware processing is facilitated by performing distributed processing of the arithmetic processing for encryption or decryption by a plurality of modular exponentiation arithmetic processing units. Even when the arithmetic amount is large and precision is required, The system can be easily constructed to increase the speed of the arithmetic processing. As described above, the operation accuracy in the modular exponentiation operation can be easily extended in terms of hardware, and sufficient reliability can be ensured in the accuracy of the key used for encryption and decryption. Further, if encryption and decryption are performed by hardware, data can be processed without being sent to the operation system, so that security is ensured.

Further, as a result of the distributed processing, the number of gates of the modular exponentiation operation unit can be suppressed, and the cost of the apparatus can be reduced. Since the modular exponentiation operation unit can be configured with such a small number of gates, it is possible to easily construct an encryption / decryption system even in packet communication between personal computer systems, for example.

At the time of arithmetic processing of encryption or decryption,
The calculation accuracy required for the calculation process is 2 ⁿ¹Bit (n1 ≦ n
And n1 is variable), x1 ≧ 2ⁿ¹/ 2^m(X1 ≦
x) so as to satisfy x)
X1 units are cascaded. At this time,
For example, from the clock generation circuit, 2ⁿ¹Criteria
Generate a clock signal. In this way, x
X1 arithmetic units are effectively cascaded
It is. In this case, it is consumed by arithmetic units other than x1
Power consumption can be saved, and the calculation speed can be increased. Further
In addition, signals are transmitted by optical signals between multiple arithmetic units
By doing so, the calculation speed becomes higher.

If an optical signal is transmitted between a plurality of modular exponentiation operation units, the operation in the encryption / decryption device can be further speeded up.

Each of the modular exponentiation multiplication units includes an operation module to be operated with an operation accuracy of 2 ^{m /} y.
(Y is a natural number) and can be configured by cascading y arithmetic modules.

At this time, when the operation precision required in the operation processing is 2 ⁿ¹ bits (n1 ≦ n and n1 is variable), y1
It suffices that y1 operation modules be cascaded so as to satisfy ≧ 2 ⁿ¹ / 2 ^{m / y} (y1 is a natural number).

If a signal is transmitted by an optical signal between the maximum y operation modules, the operation in each operation unit is speeded up.

[0027]

Preferred embodiments of the present invention will now be described with reference to the drawings.

(Explanation of Network System) FIG.
1 shows a network system according to the present invention. FIG.
, The personal computer 1 as a plurality of terminals
2A-1 to 12A-3, 12B-1 to 12B-3, 12
A network (packet switching network) is configured by connecting C-1 to 12C-3 and the four routers 10A to 10D via the line 11. This packet switching network is governed by several rules (protocols).
SMISSION CONTROL PROTOCOL / INTERNET PROTCOL) = OS
A communication protocol corresponding to the four layers (transport layer) / 3 layers (network layer) of the I protocol is implemented, and a public communication network between computers is configured.

Here, the routers 10A to 10D are intelligent bridges that guide the packets so as to be delivered to the destination, read the addresses described in the first few lines of each packet, and send the packet to its destination. The best route to send is determined in consideration of the degree of congestion.

Each of the personal computers 12A-1 to 12A-3, 12B-1 to 12B-3, 1 shown in FIG.
2C-1 to 12C-3 have the same configuration as the personal computer 12, as shown in FIG.

The personal computer 12 is roughly divided into a personal computer main unit 13 connected to the line 11 via an input / output device 13A and having an external storage device such as a hard disk, and a personal computer main unit 13. An encryption / decryption device (programmable digital processor) 14 is connected via the interface 13B and the bus 2. The personal computer 12 further includes a keyboard 15 for inputting various data, a display 16 for performing various displays, a display (not shown), and the like.

As described above, each of the personal computers 12 connected to each other by the line 11 has the encryption / decryption device 14. When information is output from one personal computer 12 to another personal computer 12 via the line 11, a part of the information transmitted on the line 11 is encrypted. That is, the encryption / decryption device 14 provided in one personal computer 12 encrypts transmission information, and the encryption / decryption device 14 provided in another personal computer 12 decrypts received information.

On the other hand, the routers 10A to 10D have the same configuration as the router 10, as shown in FIG.
This router 10 includes a router body 17 for selecting a route of packet communication according to information of a built-in routing table, and an encryption / decryption device connected to the router body 17 via the bus 2 as in FIG. (Programmable digital processor) 14.

Here, each personal computer 1
The packet 18 transmitted and received by the input / output unit 13A of the second
As shown in FIG. 4, it includes an address field 18A and a data field 18B.

In the present embodiment, the encryption / decryption device 14 of each personal computer 10 encrypts at least the address information in the address field 18A when transmitting a packet, and decrypts the encrypted address information 18B when receiving a packet. On the other hand, the encryption / decryption device 14 of each router decrypts the encrypted address information and transmits the packet 18 to the communication path selected according to the information in the routing table (communication path control information).

The address information to be encrypted may be the source address information in the source address field 18A-1 and / or the destination address information in the destination address field 18A-2 shown in FIG. . For example, a case will be described as an example in which the personal computer 12A-1 in FIG. 1 transmits billing data for remitting 1 million yen to the personal computer. In this case, even if "transmit 1,000,000 yen" is eavesdropped without encryption, if the data of one or both of the source and the destination is encrypted, the data itself has no meaning. . Therefore, if both or one of the source address information and the destination address information is encrypted, the confidentiality of the data is ensured as a result.

Alternatively, a part of the information to be encrypted includes a secret data field 18B- in the data field 18B in addition to the address information in the address field 18A.
1 may include confidential data. In the above example, "Sender 12" is included in the confidential data field 18B-1.
A-1, the destination 12C-1 ", and when the normal data field 18B-2 says" Remit 1,000,000 ", the information in the address field 18A and the confidential data field 18B-1 should be encrypted. Thus, the confidentiality of data is ensured in the same manner as described above.

Alternatively, the confidential data field 18B-
1 indicates that "1,000,000 yen is to be remitted," and the normal data field 18B-2 indicates "sender 12A-1, destination 1
2C-1 ", data confidentiality can be similarly secured. In this way, a high level of security can be ensured, despite the small amount of information to be encrypted. Also, if only the information in the specific field is encrypted, which information in the packet 18 is to be encrypted can be distinguished by the field.

On the other hand, the router 10 selects a router or a personal computer to which the packet 18 is to be transmitted based on the information in the address field 18A in the packet 18 and the information in the routing table in the router body 17. Do. Therefore, the encryption / decryption device 14 of the router 10 decrypts the encrypted address information in the source address field 18A-1 and / or the destination address field 18A-2 in the address field 18A in the packet 18. . This allows
The router 10 can know the source address and the destination address, and can select the transmission route of the packet 10.

(Schematic Configuration and Operation of Encryption / Decryption Device) FIG. 5 shows the configuration of the encryption / decryption device 14 shown in FIGS.

The encryption / decryption device 14 has a system ROM and a system RAM (not shown), and the encryption and decryption processing procedures are performed in advance in the personal computer body 13 shown in FIG. 2 or in the router body 17 shown in FIG. Is loaded via the bus 2 from the main microprocessor 1 side and programmed.

The encryption / decryption device 14 includes a control unit 5 for controlling the entire control, a RAM 6 and a ROM 8 for storing various data in the middle of calculations, processing procedures, and the like.
X (x is fixed to a natural number) power-residue operation units 7-1 to 7-x each performing an operation with an operation precision of 2 ^m bits (m is fixed to a natural number), and these power-residue operation units 7-1 to 7-7 A switch SW for cascade-connecting −x, an internal system bus 4A for transferring address data, instruction data, and the like, and an internal data bus 4B for transferring various data. In addition,
The internal system bus 4A and the internal data bus 4B constitute the internal bus 4. The switch SW is shown for convenience so that the configuration of the present embodiment can be understood in the drawings. In practice, the number of modular exponentiation operation units to be effectively cascaded depends on the encryption / decryption device 1
For example, the switch SW is determined based on the number of reference clock signals generated from the control unit 5 in the control unit 4 and is not mechanically turned on and off. This will be described later.

In this case, when the maximum bit precision obtained when all x modular exponentiation arithmetic units are cascaded is 2 ⁿ (n is a natural number), the maximum number x cascaded is as follows: It is necessary to satisfy the conditional expression shown in.

X ≧ 2 ⁿ / 2 ^{m If} the required operation precision is bit precision 2 ⁿ¹ (n1 is variable and n1 ≦ n) which is equal to or less than the maximum bit precision 2 ⁿ , x power-residue operations are performed. Although it is possible to obtain the operation result even when all of the units 7-1 to 7-x are in the operable state, among the maximum x modular exponentiation operation units, x ≧ x1 ≧ 2 ⁿ¹ / 2 ^m (x1 is a variable X1 power-residue operation units 7-1 to satisfy
7-x1 may be cascaded so as to operate effectively. In this way, by performing the calculation with 2 ⁿ¹ bit precision, the power consumption can be optimized without unnecessarily consuming the power, and the calculation processing time can be optimized.

Here, the modular exponentiation operation units 7-1 to 7-1
In each of 7-x, y power-residue operation modules 9-1 to 9-y to be operated with an operation accuracy of 2 ^{m / y} (y is an integer of 2 or more) are cascade-connected via a switch SW. It is possible. The switches SW are shown for convenience so that the configuration of the embodiment can be understood on the drawings. In practice, the number of modular exponentiation modules to be effectively cascaded depends on the encryption /
It is determined based on the number of reference clock signals from the control unit 5 in the decoding device 14, for example, and the switch SW is not turned on and off mechanically.

Here, for example, the modular exponentiation operation unit 7
When −1 and the modular exponentiation operation unit 7-2 are effectively cascaded, this is equivalent to cascading a total of 2y modular exponentiation arithmetic modules.

In this embodiment, all of the power-residue operation modules 9-9 in one power-residue operation unit are used.
Of the numbers 1 to 9-y, it is also possible to effectively cascade the number of operation modules y1 ≧ 2 ⁿ¹ / 2 ^{m / y} (y1 ≦ y) sufficient to perform the operation with 2 ⁿ¹ bit precision. .
This makes it possible to further optimize power consumption and arithmetic processing time.

Alternatively, to perform the operation with 2 ⁿ¹ bit precision, (x1-1) power-residue arithmetic units 7-1 to 7-1 are used.
7- (x1-1) and a modular exponentiation unit 7-x1
It is also possible to use y1 modular exponentiation operation modules. In this case, the (x1-1) modular exponentiation units 7-1 to 7- (x1-1) have 2 ⁿ² (n
Assuming that an operation with bit precision of 2 <n1) is performed,
It is sufficient that y1 ≧ (2 ⁿ¹ −2 ⁿ² ) / 2 ^{m / y} (y1 ≦ y) is satisfied.

Next, the operation of the apparatus shown in FIGS. 1 to 5 will be described.

First, the main microprocessor 1 supplies operation accuracy data corresponding to the operation accuracy required for encryption / decryption to the encryption / decryption device 14 via the bus 2.

As a result, the control unit 5 of the encryption / decryption device 14 has the modular exponentiation units 7-1 to 7
For −x, based on the processing procedure from the main microprocessor unit 1 and / or the RAM 6 (encryption procedure shown in FIG. 15 described later), a modular exponentiation unit or a power of a number corresponding to the required operation precision 2 ⁿ¹ Controls the remainder operation module. Modular exponentiation unit 7
-1 to 7-x are based on the accuracy information of each operation data,
The number of units and modules to be cascaded is determined. The number of units and modules to be cascaded is determined by the number of reference clock signals required for the operation. This reference clock signal is shown in FIG.
Is generated by a reference clock signal generating circuit (not shown) included in the computer main unit 13 shown in FIG. 3, the router main unit 17 shown in FIG. 3, or the control unit 5 shown in FIG.

Thus, the modular exponentiation arithmetic units and arithmetic modules of the number required for the operation are effectively cascaded, and the control unit 5 converts the arithmetic to the modular exponentiation arithmetic unit based on a pre-programmed processing procedure. Will be performed.

The obtained operation result (encryption) of precision 2 ⁿ¹ is transferred to the bus 2 and the input / output unit 13A
To the line 11 side, or outputs the decoding result to the main microprocessor 1 in the computer body 13 or the router body 17 via the bus 2.

Here, in this embodiment, the signal on the bus 2 between the chips, that is, between the main microprocessor unit 1 and the encryption / decryption device 14 in FIG. 5 may be a multi-channel electric signal, May be multi-channel optical signals of different types. There have already been many proposals for technologies for optically communicating between chips.

In addition, in this embodiment, an optical signal can be transmitted between some or all of the units in the encryption / decryption device 14 constituting one chip. That is, the internal system bus 4A and the internal data bus 4B of the encryption / decryption device 14 shown in FIG. 5 are used as optical transmission paths. Then, the control unit 5 and
Optical signals can be transmitted between the RAM 6, the ROM 8, and each of the x modular exponentiation units 7-1 to 7-x via the internal system bus 4A and the internal data bus 4B. At this time, as a storage element constituting the RAM 6,
If information other than an electric signal is stored, for example, information magnetized like a ferroelectric memory, it is not necessary to convert an optical signal into an electric signal. For example, when a ferroelectric memory is used, information magnetized based on an optical signal may be stored. Further, x power remainder arithmetic units 7-1 to 7-1
Since the buses 7-x are also substantially connected to each other, these buses can be used as optical transmission lines, and optical power signals can be transmitted between the modular exponentiation units. A specific example in which an internal bus in one chip is used as an optical transmission line will be described later.

In the above description, a description has been given of a case in which a maximum of x modular exponentiation units are mounted. However, in order to extend the function later, the external modular exponentiation unit is provided to the encryption / decryption device 14. A terminal for cascade connection may be provided. In this way, if the external power-residue operation units are configured to be connected in cascade, it is possible to secure operation accuracy higher than the operation accuracy obtained by cascade-connecting only the internal power-residue operation units.

More specifically, even when the encryption / decryption device 14 has a one-chip configuration, as shown by a broken line in FIG. 5, one or a plurality of programmable digital processors 14 'are connected to an internal data bus and an internal data bus. Cascade connection can be performed via a cascade connection terminal (not shown).
In this case, the programmable digital processor 1
The modular exponentiation unit in 4 ′ is transmitted to the encryption / decryption device 1
4 is equivalent to being connected in cascade with the modular exponentiation operation unit 4. In this sense, one or a plurality of programmable digital processors 1 are provided to the internal modular exponentiation operation units 7-1 to 7-x in the encryption / decryption device 14.
The modular exponentiation unit 4 ′ functions as an external modular exponentiation unit. In this embodiment, the internal power-residue operation unit and the external power-residue operation unit can also be transmitted by an optical signal.

When a plurality of external power-residue calculation units are constituted by, for example, TFTs (Thin Film Transistors), a maximum of z external power-residues are generated due to the occurrence of defective transistors due to defects or the like. There is a possibility that the entire arithmetic unit cannot be used.

Therefore, it is preferable to prepare at least K (z ≧ K / A) power-residue calculation units in advance with respect to the yield rate A of the power-residue calculation units. By doing so, it is possible to connect up to z non-defective product modular exponentiation units among the K modular exponentiation units.

Further, an internal power-residue operation unit for performing an operation with an operation accuracy of 2 ^m1 bits (m1: natural number) in the encryption / decryption device 14 and an operation accuracy of 2 ^m2 bits (m2: In order to perform cascade connection with an external power-residue operation unit that performs an operation using natural numbers) and perform an operation with a maximum operation accuracy of 2 ⁿ , the number z of connections of the external power-residue operation unit is set so as to satisfy the following expression. do it.

Z ≧ (2 ⁿ −2 ^m1 ) / 2 ^m2 Further, desired bit precision 2 ⁿ¹ (n1 is a natural number and n
When the calculation is performed with 1 ≦ n), of the z external power residue calculation units, the external power residue calculation is performed such that z ≧ z1 ≧ (2 ⁿ¹ −2 ^m1 ) / 2 ^m2 (z1 is a natural number). If the units are connected in cascade, only the external power-residue arithmetic unit required for the operation can be operated. As a result, it is possible to optimize the power consumption and the arithmetic processing time.

When configuring the encryption / decryption device 14, the main microprocessor 1 is an essential component in the configuration shown in FIG. However, if the encryption / decryption device 14 has the function of the main microprocessor 1 and is configured to load a program from a storage device or an external storage device via the bus 2, the main microprocessor 1 becomes unnecessary.

In the above description, only the case where the encryption / decryption device 14 loads a program has been described, but the present invention is not limited to this. For example, a program of a processing procedure is stored in a non-volatile memory such as a mask ROM, a PROM, or an EEPROM in advance, and an operation is performed based on a processing procedure fixed based on the program.
It is also possible to realize the fixed processing procedure by hardware logic.

As described above, according to the present embodiment, the encryption / decryption device 14 for performing the operation with the desired accuracy can be easily realized in hardware, and the operation accuracy can be improved. It is possible to easily cope with the expansion in terms of hardware.

In this embodiment, the control unit 5 and the RAM 6 are provided in the encryption / decryption device 14. However, the encryption / decryption device 14 is configured so that the main microprocessor 1 performs these functions. However, it is also possible to configure only the exponentiation remainder arithmetic unit in a one-chip configuration and to function as an arbitrary-precision general-purpose arithmetic processor.

(Specific Example of Encryption and Decryption Processing) Next, specific encryption processing and decryption processing in the encryption / decryption device 14 will be described.

[1] Explanation of Principle of RSA Method First, prior to a description of specific processing contents, an RSA method, which is a typical public key cryptosystem, will be described.

As a usage form of the network encryption, a sender encrypts a plaintext using an encryption key and transmits the encrypted text, and a receiver of the encrypted text decrypts the encrypted text using a decryption key and returns to the plaintext. .

In the secret key cryptosystem, the encryption key and the decryption key are the same, whereas the public key cryptosystem is not the same, and the encryption key is made public and the decryption key is kept secret. Next, the principle of the RSA scheme, which is a typical public key cryptosystem, will be described.

The plaintext is divided into some appropriate blocks, and a numerical value corresponding to the block is M. The prime numbers p and q are determined, kept secret as a decryption key (private key), and the following relationships n and e are set as public keys (public key).

N = pq (1) gcd (e, (p−1, q−1)) = 1 (2) Here, the greatest common contract of e and (p−1) (q−1) The number is 1, that is, a positive number e relatively prime to (p-1) (q-1) is appropriately determined.

Then, as shown in the following equation (3), the sender calculates the remainder operation of the plaintext M raised to the power of e using the public key (the remainder C obtained by dividing ^Me by n) using the public key. ) And transmit the ciphertext C.

[0073] ^{M e ≡C mod n ...... (3} ) Thus, the receiver that has received the cipher text C first uses the private key, by the following formula (4) (p-
1) Find the reciprocal d of e modulo (q-1).

Ed @ 1 mod (p−1) (q−1) (4) With the obtained d, the ciphertext C is decrypted into the plaintext M from the following equation (5).

C ^d ≡M mod n (5) By the way, equations (4) and (5) are obtained by calculating (p−1) and (q−
If the least common multiple 1 cm (p-1, q-1) of 1) is used, d can be determined to be small, and the calculation amount can be reduced as shown in the following equations (6) and (7).

Gcd (e, lcm (p−1, q−1)) = 1 (6) ed≡1 mod lcm (p−1, q−1) (7) In this case, the public key Since n is the product of the private keys p and q, it is usually selected to be 512 bits or more so that it cannot be easily factored.

As described above, the RSA method is widely recognized as a method having a high encryption strength by performing a mathematical element called prime factorization and multi-precision remainder operation.

[2] Example of Remainder Calculation Since the result of the modular exponentiation operation of Expressions (3) and (5) is an encrypted / decrypted text, a rounding operation or a floating-point operation cannot be used, and the operation must be an integer operation. The modular exponentiation operation divides the exponent into parts that can be divided by the system, and can be obtained by repeating the product of the smaller modular exponentiation. For simplicity of explanation, an example of a very small numerical value is shown.

Assuming that the public key is n = 55 and e = 7,
The private key is p = 5 and q = 11.

Assuming that the plaintext M = 3, the ciphertext C is obtained by using the public keys n and e in the encryption by the equation (3).
Obtain C = 42 from a more 3 ⁷ ≡C mod 55.

In the decryption, d is obtained from p and q of the private key.
Is selected as follows.

From equation (4), 7d≡1 mod (5-1) (11-1), that is, d = 23 from 7d≡1 mod 40.

M = 3 from 42 ²³ ≡M mod 55.

In the remainder operation, when X≡r1 mod n and Y≡r2 mod n, the multiplication of the following equation (8) modulo n is satisfied.

XY≡r1 · r2 mod n (8) The exponent is divided into operable parts by this relational expression.

For example, Therefore, first, we obtain the two remainders of 42 ⁵ and 42 ^3.

42 ⁵ ≡12 mod 55 42 ³ ≡3 mod 55 From equation (8), 42 ²³ ≡12.12.12.12.3≡r mod 55 ↑ ↑ ↑ ↑ １ r1 r2 r3 r4 r5

Next, the remainder r _1-2 is obtained from r1 · r2.

[0089] than _{r1 · r2≡12 · 12≡r 1-2 mod 55} , the r _1-2 = 34. In the same manner, r _1-3 = 23 from r _1-2 · r3ｒ34 · 12≡r _1-3 mod 55. Further, from r _1-3 · r4≡23 · 12≡r _1-4 mod 55, r _1-4 = 1. Furthermore, r _1-4 · r5≡1.3≡r mod 55 is obtained, and r = 3 is obtained.

The maximum precision of each remainder multiplication in the above-mentioned remainder calculation process can be less than twice the modulus n. In this way, the target remainder can be calculated by repeating the remainder calculation replaced with a small numerical value.

[3] General Method of Encryption and Decryption Processing Here, a general method of encryption and decryption processing based on RSA will be described with reference to FIG.

First, in the remainder operation for A ^m ≡R mod n, each value of A, m, and n is input (step S
1).

The congruence expression A ^m ≡R mod n is obtained by encrypting a plaintext M as A and a public key e as m.
The R obtained by the remainder operation modulo the public key n becomes the ciphertext C. In the decryption, ciphertext C is A, d selected from public key e and private keys p and q is m, and R obtained by remainder operation modulo n is plaintext M.

[0094] First, determine the number of bits K1 in A (step S2), and obtains the maximum exponent N of A ^N in the remainder operation system from a few bits of A K1 (step S3).

[0095] Then the maximum exponent N is determined whether or not 1 (step S4), and to become a precision over by A ² if the maximum exponent N = 1, seeking A≡r mod n (step S5 ), The number k of bits of the remainder r is obtained (step S6), and the block size of A is determined from the number k of bits (step S7).

If the block size of A is within the accuracy (step S7; No), m multiplications of A by n are performed, and the remainder R obtained from the result is obtained (step S7).
8).

If the block size of A is out of accuracy (step S7; Yes), the data is too large and overflows (step S9). The process ends (step S10).

On the other hand, if N is 2 or more (step S
4; No), decompose m into qN + a (step S1)
1) If a is not 0 (step S12; Ye)
s), obtains a A ^a (step S13), and obtains the remainder r1 of the A ^a divided by n (step S14). Next, it is determined whether or not q = 0 (step S15). If q = 0 (step S15; Yes), r1 is the remainder R to be obtained (step S16).

If it is determined in step S15 that q ≠ 0 (step S15; No), A ^N is obtained (step S17), and a remainder r obtained by dividing A ^N by n is obtained (step S18).

Then, the remainder r is substituted for r00 (step S19), and q A ^N are multiplied modulo n (step S20). If a ≠ 0 (step S20)
21; No), a remainder obtained by dividing the product of the obtained multiplication result r and r1 by n is obtained (step S22), and the obtained remainder r is set as a remainder R to be finally obtained (step S23). It is output as remainder data (step S24).

As described above, the encryption and decryption processing (remainder operation processing) of the public key cryptosystem based on RSA is complicated. In particular, in an encryption / decryption system, as described above, n is as high as 512 bits or more. If the distributed processing of division is impossible because of the accuracy, it is difficult to implement hardware as in the present embodiment, and the above processing is performed by software, and the programming is not easy. It can be easily inferred that the calculation time is required.

[4] Configuration of Public Key Encryption / Decryption System FIG. 6 shows an encryption / decryption device 14 shown in FIG.
FIG. 2 is a block diagram represented as a modular exponentiation operation device. This encryption / decryption device 14 as a modular exponentiation device has
When roughly classified, an arbitrary-precision division device 20 for performing arbitrary-precision division within a predetermined accuracy range and an arbitrary-precision multiplication device 21 for performing arbitrary-precision multiplication within a predetermined accuracy range are provided. Is done.

This arbitrary precision division device (division unit) 2
0 and the arbitrary precision multiplication device (multiplication unit) 21 are shown in FIG.
Corresponds to one power-residue operation unit 1 among the power-residue operation units 7-1 to 7-x.

The arbitrary-precision division device 22 calculates the maximum multiplication accuracy 2
Multiplication is performed with an arbitrary multiplication precision within ^m bits (m: fixed as a natural number), and the arbitrary precision division device 20 (division unit) performs division with an arbitrary division precision within a maximum division precision of ^{22 m} bits.
Then, by connecting x power-residue arithmetic units 7-1 to 7-x so as to satisfy x = 2 ⁿ / 2 ^m , an arbitrary-precision power-residue for performing encryption and decryption with a maximum of 2 ⁿ bits is performed. An arithmetic unit (encryption / decryption device 14) can be configured.

[5] Arrangement of Arbitrary Precision Divider and Arbitrary Precision Multiplier As shown in FIG. 7, the arbitrary precision divider 20 is a first divider 25 of 8-bit precision to which dividend data and divisor data are respectively input. -1 to H-th divider 25-H (H: an integer of 2 or more) for cascading H dividers (division modules) and corresponding 8-bit precision dividers based on the precision information data The first switches SW1 to (H
-1) switches SW (H-1) and (H-1) switches SW (H-1).
-1) The switches SW1 to SW (H-1) cascade-connect a required number of dividers based on the accuracy information data.

The switches SW1 to SW (H-
1) is also shown for convenience of explanation similarly to the case of FIG. Further, it is also possible to configure so that all the inputs and outputs between each 8-bit divider and each input / output to each 8-bit divider are transmitted as optical signals.

More specifically, when performing 8-bit precision division, all switches SW1 to SW (H-1) are open, only the first divider 25-1 operates, and 16
When performing bit-precision division, the first switch SW1
Only in the closed state, the first divider 25-1 and the second divider 25-2 operate, and when performing division with (8 × J) accuracy, (J: 2 or more and (H-1) or less) Integers), the first switch SW1 to the (J-1) th switch SW (J-1) are all closed, and the first divider 25-1 to the Jth divider 25-J
Will work.

The dividend data and the divisor data are
The lower 8 bits are sequentially supplied to the J-th divider from the first divider 25-1 in 8-bit units.

The arbitrary-precision multiplying device 21 has substantially the same configuration as the arbitrary-precision dividing device 20 except that the 8-bit divider is replaced with an 8-bit multiplier, and a description thereof will be omitted.

As described above, the power-residue calculation units 7-1 to 7-x shown in FIG. 5 for performing the power-residue calculation are provided with the input signal lines of the dividend data, the divisor data and the precision information data, and the output of the quotient data and the remainder data. A cascade connection terminal for cascade connection of signal lines;
= 2 ⁿ / 2 ^m so that the modular exponentiation operation unit 7−
By connecting a maximum of x 1 to 7-x, a maximum of 2 ⁿ
Bit-precision encryption and decryption can be performed.

If the bus 22 shown in FIG. 6 is used as an optical transmission line, an optical signal can be transmitted between the arbitrary precision multiplying device 21 and the arbitrary precision dividing device 20.

[6] Configuration of Divider Next, the configuration of the divider constituting the arbitrary-precision divider 20 will be described.

[6.1] Algorithm of Divider First, before describing the divider, the algorithm of the divider will be described.

Regarding division, although not so much as multiplication, various algorithms have been devised. Also, in signal processing, division is not used as frequently as multiplication.

However, in signal normalization, encryption / decryption as a concealment technique in computer communications and information networks, in feature extraction in speech recognition, calculation of linear prediction coefficients based on a frequency spectrum (product sum is 70 times) , Division 12 times), in a fault-tolerant system, etc., when division is required, the realization is not as easy as multiplication, and conventionally, it is necessary to obtain a result with high accuracy and high speed. There was no effective means.

The following four types of division realizing methods are known.

(1) A look-up table (conversion table) indicating the relationship between the variable x and 1 / x is prepared in the ROM, and the division of y / x is replaced with the multiplication of y (1 / X). "Reciprocal ROM method" to execute.

(2) Instead of directly executing the division of y / x, logx and log are calculated from x and y by a logarithmic ROM.
gy, and then subtracts z = logx-logy, and finally, expz is obtained by exponential ROM.

(3) "Subtraction shift method" in which shift and subtraction are repeated by trial and error with respect to the dividend.

(4) A “convergent division method” in which a result is converged to a quotient value to be obtained while repeatedly executing a multiplication.

Of these, the reciprocal ROM method is the fastest, but has the disadvantage that when high precision is required, the capacity of the ROM for storing the look-up table increases exponentially.
Therefore, in signal processing, it is used only when relatively coarse accuracy is sufficient.

The following logarithmic calculation method also needs to be used after sufficiently examining the accuracy due to the limitation of the capacity of the logarithmic ROM. In this sense, the above two ROM methods are used in any case. It is hard to say that it is a versatile method of obtaining.

Of the above four methods, the methods that can divide any precision are the subtraction shift method and the convergent division method.

In the convergent division method, the dividend and the divisor are regarded as the numerator and denominator of the fraction, and the numerator denominator is multiplied by the same convergence coefficient until the denominator approaches 1, and the obtained final numerator value is used as the quotient. Become. Alternatively, the reciprocal of the divisor is obtained by a convergence algorithm, and the quotient can be obtained from the product of the reciprocal and the dividend.

However, in consideration of an extended function of the division capability by connecting a plurality of chips (modules), in the convergence division method in which convergence is performed by an approximate operation, propagation of a partial remainder is further approximated, and an error increases. There is a problem that it becomes.

In this regard, the subtraction shift method does not have such a problem, and can perform division with arbitrary precision, and is considered to be the most suitable in consideration of an extended function of division capability by connecting a plurality of chips (modules).

Next, an extended function of the division capability will be considered.

For example, to execute the division of 567890/1234, the dividend and the divisor are repeatedly subtracted as shown in FIG.

Here, consider the use of a divisor extended to four digits using a divisor (or division module) of two digits, as shown in FIGS. 8B and 8C. , The divisor 1234 is divided into the divisor 12 and the divisor 34, the dividend 567890 is divided into the dividend 567 and the dividend 890, and the results of the distributed processing with the divisors of 12 and 34 are used to expand the division capability (see FIG. 8A ) Is not possible (like multiplication).

Therefore, division is effective within the range of usable digits, and use of even one bit exceeding the division capability cannot be easily dealt with even by using a memory or an external circuit.

In addition, a rounding operation is usually performed in division, but such use cannot be performed in an encryption / decryption system.

For the reasons described above, in the related art, the number of dividers implemented by hardware is small and is dealt with by software having a slow processing speed.

The algorithm of this divider is based on a "subtraction shift method" in which the dividend is shifted and subtracted by trial and error. The general basic formula is represented by the following recurrence formula. You.

[0134]

(Equation 1)

[0135]

(Equation 2)

Equation (B) is the quotient Q to be found, and the final remainder R
Is 2- ^{nR (n)} .

Digit of quotient q _{j + 1} in each operation step
Is determined by the magnitude relationship between 2R and D as follows.

When 2R ^(j) <D, q _{j + 1} = 0 When 2R ^(j) ≧ D, q _{j + 1} = 1 That is, first, a provisional partial remainder R ^{(j + 1)} (= 2R ^{( j)} −D), and if the partial remainder R ^{(j + 1)} is positive or “0”, q _{j + 1}
= 1 is obtained, and is set as a true partial remainder. If the partial remainder R
^{If (j + 1)} is negative, the subtraction of the temporary partial remainder is canceled at q _{j + 1} = 0.

The above recurrence formula means that the above operation is obtained by shifting R ⁽ⁿ⁾ rightward by n digits.

However, the above recurrence equation is simply for the quotient of n digits. When the division data is distributed to each module, the dividend and the divisor of each module must be connected to each other.

In general, since the dividend has more digits than the divisor, it is easy to connect the distributed divisors and subtract the dividend with the divisor by connecting the divisors and connecting the subtractor and the latch circuit. Could not be realized.

On the other hand, in the divider according to the present embodiment, the distributed divisor and the subtractor are fixed in each module, and the dividends are connected to perform the shift and the subtraction so that the modules can be distributed. I have.

In this case, the dividend is left-shifted because the divisor is fixed, contrary to the handwriting.

For example, FIG. 9 shows the operation of each step when one module is expanded to two modules for a 4-bit divider for simplicity.

The divisor distributed over the two modules is connected to the borrowing terminals BO and BN with a subtractor and a latch circuit. The dividend is connected to the QI and QO terminals and returned to the first stage RI. The divisor is fixed to each module,
The operation is terminated by repeating left shift and subtraction by the number of dividends required.

The quotient q and the partial remainder are determined by the subtraction result in each subtraction process. In the case of an 8-bit subtractor, the operation ends in seven steps, and in the eighth step, only the quotient q0 is stored. As a result, the quotient data Q is stored in a dividend latch / shift circuit 32 (see FIG. 10) described later.
The remainder data is obtained in the later-described partial remainder shift circuit 34 (see FIG. 10).

[6.2] Schematic Configuration of Divider FIG. 10 is a block diagram showing a schematic configuration of a divider using the first divider 25-1 as an example.

The first divider 25-1 includes a divisor latch circuit 31 for latching input 8-bit divisor data, a dividend latch / shift circuit 32 for latching dividend data and performing a shift operation, and a dividend data shift circuit 32. , A parallel subtraction circuit 33 for subtracting the divisor corresponding to the divisor data from the dividend, a partial remainder shift circuit 34 for storing partial remainder data and performing a shift operation, and a control circuit 35 for generating a shift pulse necessary for division. And is provided.

[6.3] Operation of Divider Next, the operation of the divider will be described with reference to FIG.

At time t1, division start pulse / ST
When AT (/ indicates low active; the same applies hereinafter) falls, the first divider 25-1 is initialized until the next rise (time t2) of the division start pulse / STAT.

Next, after time t2, the reference clock signal CK
At the time t3 when the first falls, the dividend data (8
) Is latched by the dividend latch / shift circuit 32, and the divisor data (8 bits) is latched by the divisor latch circuit 31.

When the reference clock signal CK rises next at time t4, the parallel subtraction circuit 33
When the dividend and the divisor are subtracted, and the subtraction result is positive or “0”, the changeover switch 36 is on the parallel subtraction circuit 33 side. If the subtraction result of the parallel subtraction circuit 33 is negative, the changeover switch 36 The remainder shift circuit 34 is provided.

As a result, at time t5, the partial remainder data of the partial remainder shift circuit 34 is shifted, and the partial remainder data as the result of the subtraction by the parallel subtraction circuit 33 or the partial remainder data before the subtraction is held in the partial remainder shift circuit 34. The partial remainder data before the subtraction is transferred to the partial remainder shift circuit 34.
Latched.

Similarly, during the period from time t5 to time t6, the dividend is the required number of times, that is, since it is a total of 8 bits, the seven dividends and the divisor corresponding to the remaining seven bits are subtracted and the partial remainder shift circuit is operated. Shift processing and latch processing are repeated.

At time t6, when the reference clock signal CK falls, the division end signal / DEND goes to "L" level, and the upper digit subtractor (here, the second
The subtractor 25-2) starts the operation similarly.

Then, the upper digit subtracters 25-3 to 25-3
A similar division operation is performed in 25-J, and the division end signal / DEND of the last subtractor 25-J is output to the first subtractor 2
When output to 5-1 is made, the subtraction processing ends.

As a result, each of the subtracters 25-1 to 25-
The quotient data (8 bits) is obtained in the J dividend latch / shift circuit 32, and the remainder data is obtained in the partial remainder shift circuit 34.

Since all of the above operations are performed in synchronization with the shift pulse SLA output from the control circuit 35, even when many subtractors are cascaded to increase the division capability, a timing malfunction due to a propagation delay may occur. Will not occur.

[7] Encryption and Decryption (Remainder Operation) The encryption and decryption (remainder operation) of the public key cryptosystem based on the RSA will be described with reference to FIG.

In the remainder operation of A ^N ≡A mod n, A, N,
Each value of n is input (step S31).

Next, A is substituted into A1 (step S3).
2), the initial value of the operation variable k is set to 1 (step S3)
3).

While the operation variable k is smaller than N,
That is, while the following equation k <N is satisfied (step S39), the following steps S34 to S38 are repeated.

First, it is determined whether or not N = 1 (step S34).

If N = 1 in step S34, A1 is substituted for A0 (step S3).
5).

When N ≠ 1, A1 and A1
And the result of the multiplication is substituted into A0 (step S
36) Then, A0≡A mod n is obtained (step S37), and the calculation variable k is set to k + 1 (step S38).

When the calculation variable k becomes equal to or larger than N, the obtained remainder A becomes the remainder to be obtained. At this time,
The maximum precision of the multiplication is twice the number of bits of A.

As described above, the use of the modular exponentiation operation device according to the present embodiment can greatly simplify the processing as compared with the conventional processing shown in FIG.

[8] Number of Gates of Power-Remainder Arithmetic Apparatus Here, the number of gates required when configuring the power-residue arithmetic apparatus will be described.

As is well known, since the modular arithmetic in the encryption / decryption system has extremely high precision, the multiplication precision of one module multiplier is 16 bits, the division precision of one module divider is 32 bits, and one unit is used. FIG. 13 shows the number of gates in the case where four modules are incorporated in each (variable precision of multiplication 16 to 64 bits and division 32 to 128 bits).

[0170] As shown in FIG.
To configure a bit precision divider, 1700 gates are required, and the arbitrary precision division unit in one unit of the modular exponentiation unit requires 1700 × 4 = 6800 [gates].

As shown in FIG. 13, in order to configure a 16-bit precision multiplier of one module, 1032
A gate is necessary, and the arbitrary precision multiplication unit in one unit of the modular exponentiation operation unit requires 1032 × 4 = 4128 [gate].

Therefore, the number of gates required for the modular exponentiation arithmetic unit is 6800 + 4128 = 10928 [gates], and one modular exponentiation arithmetic unit including a control circuit and a dynamic connection circuit is about 12000 [gates]. It can be made into one chip.

In 512-bit precision, 8 units are used.
1024-bit precision requires 16 units each.

[0174] [9] using a calculation time then the power residue arithmetic device, with calculation time required in the case of calculating the a ^b ≡M mod c 14 to 18
This will be described with reference to FIG.

When the exponent b is n bits, the arithmetic processing required for the modular exponentiation operation is as shown in FIG.
(4) It can be decomposed into four-stage multiplication processing and division processing. In this case, the multiplication of (1) and (3) of FIG. 14 is performed by the i-bit multiplier 21 of FIG. 15, and the division of (2) and (4) of FIG.
This is performed by the i-bit divider 20. The multiplication accuracy in the multiplication processing of (1) and (3) in FIG. 14 is less than or equal to the maximum number of bits i of c, and the product is a maximum of 2 of the number of bits i of c.
Double precision. In addition, the division accuracy in the division (remainder operation) processing of (2) and (4) in FIG. 14 is at most twice the number of bits i of c. The i-bit multiplier 21 and the 2i-bit divider 20 correspond to the arbitrary-precision multiplier 2 shown in FIG.
1 and the same configuration as the arbitrary precision division device 20.

In FIG. 15, the input values are a, b, and c, and the initial M is initialized to 1 in the register storing M. Then, M ← M × a
In the modc operation (b = 0), a and M are input to the i-bit multiplier 21, and the remainder obtained by dividing the result by c is stored as M. Also, the calculation of a ← a ² mod c (b =
In 1), a ² is obtained by inputting two a to the i-bit multiplier 21.

Here, in (1) of FIG. 14, r1 ² , r
The operation of 2 ² , r ^{3 3} ... Is performed by the i-bit multiplier 21,
In (2) in FIG. 14, the remainder obtained by dividing r1 ² , r2 ² ,... By c is defined as r2, r3.
It is obtained by the i-bit divider 20. In (3) of FIG. 14, k1 = r1 × r2, k2 = RO × r3, k3 = R1
× r4... Are multiplied by the i-bit multiplier 21. In (4) of FIG. 14, the remainders obtained by dividing K1, K2,... By c are obtained by the 2i-bit divider 20 as R0, R1,.
The remainder Rn-3 obtained by dividing -2 by c is the value M to be obtained.

FIG. 16 shows an actual example of this calculation example. FIG.
Decodes 186 ¹⁹ ≡M mod 377 to obtain M = 17
Is shown.

In FIG. 16, the remainder value “28” of (2)
9 ”,“ 204 ”,“ 146 ”, and“ 204 ”are 186
² , 289 ² , 204 ² , and 146 ² are each obtained as a remainder when divided by 377. The value of the product of (3) is 5
3754 = 186 × 289, 44880 = 220 × 20
4 is required. Further, M = 17 in (4) is 4
The remainder is obtained by dividing 4880 by 377.

Here, all of a, b, and c in FIG.
When the maximum calculation time in the case of 4 bits is represented by the required reference clock number, as shown in FIG. 17, the multiplication time of (1) is 10475552 [clock], and the remainder calculation time of (2) is 2095104 [clock]. , (3) multiplication time is 1
047552 [clock], 2 in the remainder operation time of (4)
095104 [clock] required, totaling 6285
312 [clocks] are required.

As a result, the reference clock frequency is set to 66 [M
Hz], the calculation time is 95.2.
[Msec].

Similarly, when a and b are 1024 bits and the number of bits of the exponent b is 512 bits and 9 bits, the operation time is 4 as shown in FIG.
7.6 [msec] and 0.7 [msec]. However, since these calculation times are the calculation results when the product and remainder are set to the maximum precision, they are actually smaller than these values.

As described above, each modular exponentiation unit for performing modular exponentiation with a multiplication accuracy of 2 ^m bits (m: natural number) and a division accuracy of 2 ^{2 · m} bits is constructed, and x = 2 ⁿ / By connecting x power-residue operation units so as to satisfy 2 ^m (where n is a natural number and x is a natural number), encryption and decryption with a precision of 2 ⁿ bits can be performed. Therefore, it is possible to easily expand the hardware of the system.

[0184] Note that the relationship formula of the x is the maximum arithmetic precision of the power residue arithmetic units were equal to the arithmetic precision that is ^{required, x> 2 n / 2 m} ( where, n is a natural number, x is a natural number By connecting x power-residue operation units so as to satisfy the condition (1), the same effect can be obtained only by providing a margin in the operation capacity.

Further, when a bit precision 2 ⁿ¹ (n1 is a natural number and n1 ≦ n) lower than the bit precision 2 ^{n that} can be calculated by the power-residue calculation unit is required, the x number of connected x If the power-residue calculation units are configured so that x1 power-residue calculation units are cascaded so as to satisfy x ≧ x1 ≧ 2 ⁿ¹ / 2 ^m (where x1 is a natural number), the power-residue unnecessary for the operation is obtained. There is no need to supply power to the arithmetic unit,
The power consumption can be optimized, and the calculation processing time can be optimized.

Further, as shown in FIG. 5, the modular exponentiation operation unit is composed of y cascade-connectable multiplication precisions of 2.
It can be composed of modular exponentiation modules 9-1 to 9-y for performing modular exponentiation with ^{m / y} and y division precisions of 2 ^{2 · (m / y)} . In this case, among the connected modular exponentiation operation modules, the modular exponentiation operation modules of a sufficient number y1 ≧ 2 ⁿ¹ / 2 ^{m / y} to perform encryption and decryption with 2 ⁿ¹ bits precision are cascaded. Then, the power consumption and the operation processing time can be further optimized.

The arbitrary-precision divider that realizes the division distribution processing has 128-bit precision, and the arbitrary-precision multiplier has 64 bits.
Even if it is made into one chip with bit precision, the scale of about 12,000 gates is sufficient, and 512 to 1024 bits precision can be easily handled by cascading 8 to 16 units of the multiplication / division unit (chip). Similarly, higher precision can be easily realized.

The calculation is executed with the number of clocks in proportion to the precision (for example, 512 clocks in the case of 512-bit precision), and can be constructed on a board with complete hardware, so that the speed can be increased.

In the above description, the case where a maximum of x power-residue operation units are provided has been described.
(Thin Film Transistor), when a defective transistor is generated due to a defect or the like, only one power-residue operation unit cannot be used, and the entire power-residue operation unit cannot be used. And the production cost increases.

Therefore, at least K (x ≧ K / A) power-residue operation units are prepared in advance for the yield rate A of the power-residue operation units. It is preferable to adopt a redundant configuration so as to connect x units. In this way, even if a failure occurs in the modular exponentiation module, by switching the connection to the redundant modular exponentiation module, the modular exponentiation unit can be handled as a non-defective product.

The same can be said for not only the modular exponentiation unit but also the modular exponentiation module constituting the modular exponentiation unit.
That is, the yield rate A ′ of the modular exponentiation operation module
, At least L in each modular exponentiation unit
A number (y ≧ L / A ′) of modular exponentiation operation modules are prepared in advance, and a redundant configuration is adopted so that y non-defective exponentiation modular operation modules among L power modular exponentiation modules are connected. In this way, even if a failure occurs in the modular exponentiation module, by switching the connection to the redundant modular exponentiation module, the modular exponentiation unit can be handled as a non-defective product.

In the above description, the case of the RSA cryptosystem of the public key cryptosystem has been described. However, the present invention can be similarly applied to the elliptic curve cryptosystem.

In the above-described embodiment, all the power-residue arithmetic units are provided outside the computer main unit 13. However, the power-residue arithmetic units (encryption / decryption units 14)
Part of the computer body 13 or the router body 1
7 can also be provided. In this case, an extension slot for a modular exponentiation operation unit is provided in the computer main body 13 or the router main body 17 for precision expansion, and the modular exponentiation operation unit is attached to the expansion slot as in the case where memory expansion is performed by the memory expansion slot. By doing so, the calculation accuracy can be easily extended.

In the embodiment, a plurality of personal computers 1 connected to each other by a line 11 are described.
Although the present invention is applied to No. 2, the present invention can be similarly applied to a workstation, various measuring devices, and a computer embedded in devices such as home appliances.

Further, the packet switching network to which the present invention is applied can be applied not only to a LAN but also to the Internet and the like. In the case of the Internet, an IP address (source address and destination address) is stored in a header field in an IP (INTERNET PROTCOL) datagram functioning as a packet, and data is stored in a data field. The IP address (32 bits) is address information that uniquely determines a source and a destination. Therefore, in the present invention, at least one or both of the source address and the destination address in the header field may be encrypted. Of course, a confidential data field may be provided in the data field, and the confidential data therein may also be encrypted. In particular, it is significant to apply the present invention to a network system having high information transparency such as the Internet.

(Speeding up of encryption and decryption processing)
FIG. 20 shows a microcomputer 100 in which the encryption / decryption device 14 shown in FIGS. 2 and 3 is formed as a programmable digital processor 148 into one chip together with other functional blocks.

In FIG. 20, the microcomputer 1
00 includes the following various functional units. That is, a CPU (central processing unit) 102, a ROM (read only memory) 104, a RAM (random access memory) 106 as a cache memory, a high frequency oscillation circuit 108, a low frequency oscillation circuit 110, a reset circuit 112, a prescaler 114, 16-bit programmable timer 116 and 8-bit programmable timer 1
18 and a clock circuit such as a clock timer 120, an intelligent DMAC (direct memory access
Data transfer control circuits such as a controller) 122 and a high-speed DMAC 124, an interrupt controller 126, a serial interface 128, a BCU (bus control unit) 130, an A / D (analog / digital)
Converter 132 and D / A (digital / analog) converter 1
The I / O circuit such as an analog interface circuit such as an input port 136, an output port 138, and an I / O (input / output) port 140 includes a microcomputer 1
00. Further, the microcomputer 100 includes a CPU 102 and other functional units 104 to
It includes a bus line 146 such as a data bus 142 and an address bus 144 connecting between the terminal 140 and the terminal 140, and various terminals 148. These are formed on one semiconductor substrate. Although the data bus 142 and the address bus 144 are separated from each other in FIG. 2, if data and addresses are transmitted in a time-division manner, the data and the address are used as a data / address bus by one line. It may be transmitted as an alternate use.

The internal bus 4 shown in FIG. 5 is connected to the bus line 146 shown in FIG. 20, and each of the above-described components has the same configuration as the programmable digital processor 148 having the same configuration as the encryption / decryption device 14 shown in FIG. Is also connected. Therefore, the input port 136, the output port 138, or the I / O port 1 with respect to the line 11 shown in FIG.
A part or all of the information input / output via 40 is encrypted or decrypted by the programmable processor 148.

Here, signals transmitted through the data bus 142, the address bus 144 and the internal bus 4 can be optical signals. By doing so, the signal transmission speed inside the microcomputer 100 can be significantly increased. That is, multi-channel data, for example, 32-bit data is converted into optical signals having different wavelengths, respectively.
Optical transmission is simultaneously performed in the data bus 142 formed by the optical transmission medium. Similarly, the address signal is simultaneously transmitted optically through the address bus 144 as a multi-channel optical signal having a different wavelength. When the data bus 142 and the address bus 144 are shared by one optical transmission medium, the data and the address of the optical signal are transmitted in a time division manner. Similarly, the optical signal is transmitted to the internal bus 4.

Here, the above-described functional units 102 to 14
All 0's operate to realize various functions with multi-channel electric signals as usual, and are formed of semiconductor elements and the like. For this reason, various functional units 102 to 14
Reference numeral 0 denotes a signal input unit for converting a multi-channel electric signal input via the bus line 146 (the data bus 142 and / or the address bus 144) into a multi-channel optical signal; And a signal output unit for converting the optical signal into an optical signal and outputting the converted signal to the bus line 146.

FIG. 21 is a diagram schematically showing a part of a substrate 200 on which the microcomputer 100 is formed.
FIG. 21 shows a case where the first functional unit 210 (one of the functional units 102 to 140) formed on the substrate 200 is moved to the second functional unit 220 (the functional unit 10).
A configuration for transmitting a signal via the bus line 146 to the other one of 2 to 140) is illustrated.

The first functional unit 210 includes an electric circuit area 212 and a wiring section 214 for transmitting an output signal (multi-channel electric signal) from the electric circuit area 212.
And a light emitting unit 216 as a signal output unit for emitting and outputting multi-channel optical signals having different wavelengths based on the multi-channel electric signals.

The second functional unit 220 includes a light receiving section 222 as a signal input section for converting a multi-channel optical signal into a multi-channel electric signal, an amplifying circuit 224 for amplifying the multi-channel electric signal, and an electric circuit. It has a wiring portion 226 for transmitting a signal and an electric circuit region 228. Note that the amplifier circuit 224 functions as a level shifter that shifts the voltage level of the electric signal from the light receiving unit 222 to a voltage level required by the second functional unit 220.
Provided as needed.

The bus line 146 formed between the light emitting section 216 and the light receiving section 222 is a waveguide 2 serving as an optical transmission medium.
30 and simultaneously transmits multi-channel optical signals.

The light emitting section 216 shown in FIG. 21 converts multi-channel electric signals into multi-channel optical signals.
It has a number of light-emitting elements equal to the number of multi-channels. Similarly, the light receiving section 222 also has light receiving elements for multiple channels.

Note that the first and second functional units 210,
Bidirectional signal transmission can also be performed between 220. In this case, the first functional unit 210 has a light receiving unit optically connected to the waveguide 230 as an optical transmission medium shown in FIG. 21, and an amplifier for amplifying an electric signal from the light receiving unit. On the other hand, the second functional unit 220
It has a light-emitting unit 222 optically connected to 0.

FIG. 22 is a cross-sectional view showing one example of three light emitting elements 216A to 216C and a waveguide 230 which are part of the light emitting section 216 shown in FIG. In FIG.
The light emitting elements 21 for three channels are provided on the common waveguide 230.
The state where 6A to 216C are formed is illustrated.

In FIG. 22, a waveguide 230 is formed, for example, between a lower SiO ₂ layer 240 and an upper SiO ₂ layer 242 by a transparent electrode serving as a core such as ITO (indium oxide).
(Tin oxide) layer 244. Note that all outer surfaces of the ITO layer 244 serving as a core are made of Si.
Light leakage is prevented by being covered by the O ₂ layer 240 or the SiO ₂ layer 242.

The light emitting elements 216A to 216C have the same configuration except that the composition and material of some of the layers are different, as described later. Therefore, the light emitting element 216A will be described below. The light emitting element 216A has an upper SiO ₂ layer 242
Above is a bank 2 to separate the light emitting points of each channel
50. In the bank 250, the ITO layer 25
2. The light emitting layer 254 is sequentially stacked, and covers a part of the light emitting layer 254 and the bank 250 to form a metal electrode (for example, Al-L
i) 256 are formed. Note that an optical filter that transmits a narrow band wavelength may be formed below the ITO layer 252. Thus, on the waveguide 230,
A plurality of light emitting elements 216A to 216C optically isolated by the bank 250 are formed.

The light emitting layer 254 of the light emitting element 216A is formed by, for example, an organic EL (electroluminescence). The organic EL is discharged onto the ITO layer 252 from an ink jet nozzle 258, for example, as shown in FIG. Then, by selecting the material of the organic EL, the wavelength of light emitted from the light emitting layer 254 of the light emitting element 216A of a certain channel can be changed to the light emitting elements 216B, 216 of all other channels.
The emission wavelength of the light emitting layer 254 such as 16C is made different.

When an organic EL is used as the light emitting layer 254,
The degree of freedom in selecting the emission wavelength is large, and virtually any wavelength can be selected by selecting a specific material or decoding the material.

As the organic light emitting material, the energy of the exciton in the light emitting material corresponds to the HOM corresponding to the band gap of the organic substance.
The one corresponding to the energy difference between O (highest occupied level) and LUMO (lowest empty level) is selected. For example, low molecular weight, high molecular weight, especially conjugated high molecular weight conjugated polymer,
Conductive molecules and dye molecules are selected.

When a low molecular weight organic material is used as the organic light emitting material, for example, to emit blue light, anthracene,
PPCP, Zn (O _X Z) ₂ , distilbenzene (DS
B), its derivatives (PESB) and the like are used. Also,
For example, to emit red light, BPPC, berylene, DC
M or the like is used.

Also, in the case where a high molecular weight organic material is used as the organic light emitting material, for example, PAT is used for emitting red light, and MEH-P is used for emitting orange light.
PDAF, FP-PP to emit blue light such as PV
P, RO-PPP, PPP, etc.
MPS or the like is used.

In addition, PPV, R
O-PPV, CN-PPV, PdphQ _X , PQ _X , PV
K (poly (N-vinylcarbazole)), PPS, PN
PS, PBPS, etc. are used.

In particular, the oscillation wavelength (emission color) of PVK can be changed by controlling the mixture concentration and the number of ejections of dopant inks such as dye molecules having poor carrier transport ability such as Eu complex. For example, the emission color can be adjusted by doping a fluorescent dye into an organic light emitting material made of PVK.

Further, in the case where rhodamine B or DCM can be doped into PVK, the emission color can be arbitrarily changed from green to red.

The wavelength of light (peak wavelength, wavelength band, etc.) can be adjusted to some extent by an optical filter additionally provided below the ITO layer 252 in FIG.

When light having a wide wavelength band such as white light is emitted and its wavelength is adjusted, a normal absorption type optical color filter can be used as the optical filter, thereby obtaining a desired color ( (Wavelength) only to make an optical signal.

As an optical filter additionally disposed below the ITO layer 252, a distributed reflection type multilayer mirror (DBR mirror) can be used. The DBR mirror has a structure in which a plurality of thin films having different refractive indexes are stacked, and in particular, has a plurality of pairs formed of two types of thin films having different refractive indexes. The components constituting this thin film include:
For example, a semiconductor material and a dielectric material are mentioned, and among these, a dielectric material is preferable. These can be formed using a normal vacuum film forming method or a liquid phase film forming method. As a dielectric material, an organic compound soluble in an organic solvent can be used as a starting material.
It is possible to apply the pattern formation by the ink jet method.

The light emitting elements 216A to 216C can be vertical cavity surface emitting lasers. This surface emitting laser has a cladding layer and an active layer (quantum) between two mirrors having different reflectivities, for example, a distributed reflection type multilayer (DBR) mirror (lower mirror in the example of FIG. 22). A well structure is preferable), and contact layers are arranged between the mirrors of the upper and lower layers and the electrodes of the upper and lower layers (the lower electrode is a transparent electrode such as ITO in the example of FIG. 22). Formed.

The details of this type of surface emitting laser are disclosed in earlier applications of the present applicant (Japanese Patent Application Nos. 10-2012415, 10-201244, and JP-A-7-198203). , And a detailed description thereof will be omitted.

The emission wavelength of the surface emitting laser of each channel is also determined by the material to be epitaxially grown, for example, GaAlAs.
23 can be changed, and a plurality of surface emitting lasers having different compositions can be mounted on the waveguide 230 by pattern formation by the ink jet method in FIG.

As still another example of the light emitting element 216A,
An edge emitting laser 270 as shown in FIG. 25 can also be used. Light 274 emitted from the end surface 272 of the end surface emitting laser 270 propagates through a waveguide 276 formed of an optical transmission medium such as ITO. The emission wavelength of the edge emitting laser of each channel can also be changed by selecting the composition of the constituent material.

FIG. 24 shows a light receiving element 222A for three channels provided on an extension of the waveguide 230 shown in FIG.
To 222C. This light receiving element 222A
To 222C also have a common configuration except that the composition, material, and the like of some layers described later are different.
2A will be described. The light receiving element 222A has an optical filter 262, an ITO layer 263 as a transparent electrode, and a first conductive type semiconductor layer, for example, an n-type, on the ITO layer 244 in a region where the upper SiO2 layer 242 of the waveguide 230 is removed. It has a GaAlAs layer 264, a second conductivity type semiconductor layer, for example, a p-type GaAlAs layer 266, and a metal electrode 268.

Here, the first and second conductivity type semiconductor layers 26
4,266 constitutes a PIN photodiode. As another example of configuring the PIN photodiode, one having a p-type a-SiC (p-type semiconductor), an i-type a-Si layer, and an n-type a-SiC layer may be used. At this time, an Al-Si-Cu layer can be used as the metal electrode 268.

The optical filter 262 is, for example, X1 nm
A first optical filter that transmits light of the above wavelengths,
X2 (> X1) having at least two layers with a second optical filter that transmits light having a wavelength equal to or less than nm,
It functions as a narrow band optical filter that allows light having a wavelength of nm to pass. Note that the configuration of the optical filter 262 is
The present invention can be applied to an optical filter additionally provided below the ITO layer 252 in FIG. Conversely, the IT of FIG.
The material described as the optical filter additionally disposed below the O layer 252 can be used for the optical filter 262.

With the above structure, light of a specific wavelength transmitted through the waveguide 230 and passed through the optical filter 262 is
Photo-current conversion is performed in a depletion layer formed at the interface between the first and second conductivity type semiconductor layers 264 and 266, and this electric signal can be extracted through the electrodes 263 and 268.

By the way, the optical filter 262 can change the wavelength of the transmitted light by selecting the constituent material. Further, the wavelength of light that can be detected in a photodiode including the first and second conductive semiconductor layers 264 and 268 can be changed by selecting a constituent material such as GaAlAs. As a result, the wavelength of light detected by the light receiving element 222A of a certain channel is different from the detection wavelength of the light receiving elements 222B and 222C of all other channels. Note that the optical filter 262 and the first and second conductive semiconductor layers 264 and 268 can be formed by a layer forming method using the inkjet nozzle 258 shown in FIG. Alternatively, the light receiving elements 222A, 222B, and 222C having different detection wavelengths are
0 may be implemented.

Next, an example of the operation when an optical signal is transmitted on the bus will be described. CPU 1 shown in FIG.
02 reads, for example, data from the RAM 106 which is a cache memory,
A chip enable or chip select signal for selecting 06, a read address signal, and the like are output as multi-channel electrical signals.

Here, the first functional circuit 21 shown in FIG.
If 0 is the CPU 102, the multi-channel electric signal is output from the electric circuit area 212 in FIG. The multi-channel electric signal is input to the light emitting unit 216 via the wiring unit 214. In each of the light emitting elements constituting the light emitting section 216, one of the electric signals of each channel is inputted to the metal electrode 256 shown in FIG. An optical signal of a wavelength is emitted. As a result, the light signal whose light emission is controlled for each channel is transmitted to the light emitting layer 254 of each channel.
Light is further emitted and is incident on the waveguide 230 via the ITO layer 252. In the waveguide 230, light propagates through the ITO layer 244 serving as a core, as shown in FIG.

The second functional unit 220 shown in FIG.
Assuming that M106, waveguide 230
Is input. Here, as shown in FIG. 24, each light receiving element 222A to 222A
Since the optical filter 222C has the optical filters 262 that transmit light of different wavelengths, only the light of the wavelength corresponding to each channel is incident on each of the light receiving elements 222A to 222C arranged by the number of multi-channels. You. Furthermore, since each of the light receiving elements 222A to 222C is configured to detect light having a wavelength that has passed through each optical filter 262, an electric signal can be output for each channel.

[0233] Thereafter, RA is used in the same manner as in a conventional LSI.
M106 is electrically driven and necessary data is stored in RAM1
06. The electric signal read from the RAM 106 is stored in the second functional unit 2 omitted in FIG.
The light is converted into an optical signal by the light emitting unit on the side 20 and propagated through the waveguide 230 shown in FIG. This optical signal is shown in FIG.
Is converted into an electric signal by the light receiving unit on the first functional unit 210 side, and supplied to the CPU 102 via the amplifier.

As described above, the microcomputer 100
By transmitting and receiving signals between the respective functional units by light, the loss of transmission speed can be almost ignored. Therefore, even if the degree of integration is further increased, it is not necessary to take a design in consideration of the transmission delay, and the construction and design of the circuit is greatly simplified. Moreover, the microcomputer 10
By transmitting and receiving signals between the respective functional units within 0 by light, heat generation of the microcomputer 100 can be reduced.

It is to be noted that optical communication between the microcomputer 100 shown in FIG. 20 and its peripheral devices may be adopted. Examples of the peripheral device include a display unit such as an LCD and a CRT, and a printer.

In this case, the input port 13 shown in FIG.
6. The output port 138 and the I / O port 140 may be configured to input and output multi-channel optical signals to and from the bus line 146. At this time, each port is provided with an optical shutter for blocking a passage when an optical signal is not input / output,
The optical shutter may be opened only when a peripheral device is designated by a chip select signal or the like.

[Brief description of the drawings]

FIG. 1 is a diagram schematically showing a packet communication system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a schematic configuration of the personal computer shown in FIG.

FIG. 3 is a diagram showing a schematic configuration of a router shown in FIG. 1;

FIG. 4 is a diagram illustrating an example of a packet transmitted on the line illustrated in FIG. 1;

FIG. 5 is a block diagram showing a schematic configuration of the encryption / decryption device in FIGS. 2 and 3;

FIG. 6 is a block diagram showing the encryption / decryption device in FIGS. 2 and 3 as a modular exponentiation device;

FIG. 7 is a block diagram showing a schematic configuration of an arbitrary precision division device in FIG. 6;

FIGS. 8A to 8C are explanatory diagrams for explaining the difficulty of the division distribution processing.

FIG. 9 is an explanatory diagram of the configuration and operation of the arbitrary precision divider.

FIG. 10 is a block diagram illustrating a schematic configuration of a divider.

FIG. 11 is an operation timing chart of the divider.

FIG. 12 is a diagram showing a processing procedure of encryption and decryption processing of a public key cryptosystem based on RSA.

FIG. 13 is a diagram illustrating the number of gates required for the modular exponentiation operation device.

FIG. 14 is an explanatory diagram illustrating a calculation method of a ^b ≡M mod c.

FIG. 15 is a block diagram of a circuit that executes the operation of FIG. 14;

FIG. 16 shows 186 ¹⁹ ≡M mo according to the method of FIG.
It is explanatory drawing of the calculation example which decoded d377 and calculated | required M = 17.

FIG. 17 is an explanatory diagram showing calculation of a calculation processing time required in FIG. 14;

FIG. 18 is an explanatory diagram illustrating an example of a calculation processing time.

FIG. 19 is a processing procedure of a conventional encryption and decryption process of a public key cryptosystem based on RSA.

FIG. 20 is a block diagram illustrating an example of a microcomputer equipped with an encryption / decryption device.

21 is a schematic explanatory diagram of a region including the optical transmission unit of the microcomputer shown in FIG.

22 is a schematic sectional view of a light-emitting element for three channels constituting the light-emitting unit shown in FIG.

FIG. 23 is a schematic explanatory view showing an example of a method for forming the light emitting layer shown in FIG. 22.

24 is a schematic sectional view of a light receiving element for three channels constituting the light receiving section shown in FIG. 21;

25 is a schematic explanatory view showing a modified example of the light emitting section shown in FIG. 21.

[Explanation of symbols]

Reference Signs List 1 main microprocessor unit 2 bus 4 internal bus 5 control unit 6 RAM 7-1 to 7-x modular exponentiation operation unit 8 ROM 9-1 to 9-y modular exponentiation operation module 10, 10A to 10D router 11 line 12 personal computer Reference Signs List 13 computer main unit 13A input / output unit 13B input / output interface 14 encryption / decryption device (power-residue arithmetic unit) 15 keyboard 16 display 17 router main unit 18 packet 18A address field 18A-1 source address field 18A-2 destination address field 18B data Field 18B-1 Confidential Data Field 18B-2 Normal Data Field 20 Arbitrary Precision Divider (Division Unit) 21 Arbitrary Precision Multiplier (Multiplier Unit) 22 Bus 25-1 to 25-H 8-bit divider (division module) 31 divisor latch circuit 32 dividend dividend / shift circuit 33 parallel subtraction circuit 34 partial remainder / shift circuit 35 parallel subtraction circuit 100 microcomputer 142 data bus 144 address bus 146 Bus line 148 Programmable digital processor (encryption /
Decryption device)

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5J104 AA01 AA02 AA22 CA01 JA23 JA28 NA18 PA00 5K030 GA05 GA15 HA08 HC01 HC14 HD03 HD07 5K033 AA08 CB08 DA05 DB14 DB19 EC03

Claims (9)

[Claims] 1. A packet communication system for transmitting a packet including an address field and a data field over a network in which a plurality of terminals and at least one router are connected, wherein the plurality of terminals and the at least one router Each of the two routers has an encryption / decryption device, and each of the plurality of terminals encrypts at least address information in the address field by the encryption / decryption device when transmitting a packet, and encrypts the address information when receiving a packet. The encrypted address information is decrypted by the encryption / decryption device, and the at least one router decrypts the encrypted address information by the encryption / decryption device, and is selected according to the information in the routing table. A packet communication system for transmitting the packet to a communication path. 2. The packet communication system according to claim 1, wherein each of the plurality of terminals encrypts destination address information in the address field by the encryption / decryption device when transmitting a packet. . 3. The packet according to claim 1, wherein each of the plurality of terminals encrypts source address information in the address field by the encryption / decryption device when transmitting a packet. Communications system. 4. The packet according to claim 1, wherein a confidential data field storing confidential data is provided in the data field of the packet, and each of the plurality of terminals transmits the cipher when transmitting a packet. A packet communication system, wherein the secret data in the secret data field is encrypted by a / decryption device. 5. The encryption / decryption device according to claim 1, wherein each of the encryption / decryption devices includes a plurality of modular exponentiation units, and a plurality of cascade terminals for cascading the plurality of modular exponentiation units. Wherein each of the plurality of modular exponentiation units includes a multiplication unit that performs multiplication with a multiplication accuracy of 2 ^m bits (m is a fixed natural number), and a division unit that performs division with a division accuracy of 2 ^{2 · m} bits. When the maximum operation precision of the power-residue operation performed by the plurality of power-residue operation units is 2 ⁿ (n is a natural number), x ≧ 2 ⁿ / 2 ^m (x is a natural number) A packet communication system wherein x number of the plurality of modular exponentiation operation units are connected to perform encryption or decryption so as to satisfy the following. 6. The method according to claim 5, wherein the operation precision required at the time of the operation process is 2 ⁿ¹ bits (n1 ≦ n and n1 is variable), and x1 ≧ 2 ⁿ¹ / 2 ^m (x1 ≦ x
Wherein x1 is variable and x1 pieces of the modular exponentiation operation units are cascade-connected. 7. The packet communication system according to claim 5, wherein a signal is transmitted between the plurality of modular exponentiation operation units by an optical signal. 8. The multiplication module according to claim 5, wherein each of the modular exponentiation multiplication units includes ^{: y} multiplication modules for performing multiplication with a multiplication accuracy of 2 ^{m / y} (y is a natural number); And a cascade terminal for cascading the multiplication modules of ^{(a) and (b).} And a cascade terminal for cascade connection of the packet communication system. 9. The packet communication system according to claim 8, wherein a signal is transmitted between the y multiplication modules and between the y multiplication modules by an optical signal.